The staff of the Securities and Exchange Commission (SEC) recently has begun to publish a new type of informal guidance referred to as "Disclosure Guidance" or a "Staff Observation. "Although this guidance represents only the views of the staff and has not been approved by the SEC, it nonetheless provides helpful tips on such matters as reporting and disclosure obligations in specific circumstances based on the staff's experience working with registrants and their counsel.
On October 13, 2011, the staff published its views regarding disclosure obligations related to cybersecurity risks, including risks related to information security. According to the staff, the increasing dependence on digital technologies in the day-to-day operations of nearly every registrant and an increased cybersecurity risk have resulted in greater focus on registrants' disclosure obligations with respect to cybersecurity matters. Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, the staff confirmed its view that a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. As a result, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents, just as they should with any other operational and financial risk.
Please see full publication below for more information.